2 Answers
2

By looking at /etc/passwd in the backups taken of your system from the day/week/period before the user deletion.

If userdel was used with -r, then both the home directory and user's mail spool have gone. If it wasn't used with -r, check for the user's mail spool, or perhaps a crontab if you're very lucky.

If there are no backups, and no obvious files owned by that user you can check, then you'll need to scout around places like /tmp and look for files with UID's as owners and try and work it out - but really, your backup is your best bet.

Edit: as jw013 points out you could also use find / -nouser to find files which have no matching user for the file's UID.

You can try: find / -uid <UID> to find all files owned by the user. -uid is an option on GNU find at least.
–
donothingsuccessfullyMay 14 '12 at 17:31

12

Actually, GNU find has the -nouser test for this purpose - it tests true for files whose uid does not correspond to any user on the system.
–
jw013May 14 '12 at 18:32

4

@jw013 this approach works only if you have deleted only one user from system but if you have a system with 300 users that worked for 5 years with tens of deleted users you can't use this method at all.
–
XinHuaMay 16 '12 at 6:40

2

This is an example that only describes a situation in which your suggestion doesn't work nothing more.
–
XinHuaMay 16 '12 at 14:03

2

Well, -nouser in combination with -mtime would let you find out the most recently active unowned files, which would probably help.
–
EightBitTonyMay 16 '12 at 20:07